I'll leave this up for reference, but a better and more complete guide is available, so use that instead.
This is the bare minimum necessary to configure Firefox so that it behaves in a reasonable manner.
This document was last updated on 27 January 2017 and was tested with a clean install of Firefox 57.
Verify these steps each time Firefox is updated.
- Go to uBlock Origin and click Add to Firefox
This will filter out most of the advertisements on websites, saving you a shitload of network traffic (and if your computer is slow, not having to show all that crap is a big speedup). Once you get it set up you can just ignore it, but if you care it will tell you how much stuff it's blocked on your behalf.
- Click on the newly-appeared red shield and look for the icon that looks like three horizontal lines with squares on them.
- Click on that and it will open a tab called "uBlock₀ - Dashboard".
- Check the Block CSP reports box.
- Click on 3rd-party filters and make sure the following boxes are checked:
- uBlock filters
- uBlock filters Annoyances
- uBlock filters Badware risks
- uBlock filters Experimental
- uBlock filters Privacy
- uBlock filters Resource abuse
- uBlock filters Unbreak
- Adblock Warning Removal List
- Fanboy's Enhanced Tracking List
- Fanboy's Annoyance List
- Fanboy's Cookiemonster List
- Fanboy's Social Blocking List
- Click Apply changes in the upper-right corner
- Click Update now and close the "uBlock₀ - Dashboard" tab.
- Go to Decentraleyes and click Add to Firefox
Most websites load the same files over and over from the same places -- primarily Google servers. This thing puts all that right in your browser, making for less network traffic and denies Google the privilege of inspecting your usage patterns. Once it's installed you can ignore it.
- Go to DDG Privacy Essentials and click Add to Firefox
This thing blocks a lot of advertising spyware and gives you a report on how abusive a given website is. You don't have to care, though.
- Open a new tab. Click the gear icon in the upper-right corner and uncheck all of it.
- Open a new tab and paste about:preferences into the URL bar.
- Uncheck Automatically update search engines
- Click on Search and set your preferred search engine here.
- Optionally delete the other search engines from the One-click Search Engines table.
(Otherwise they clutter up your search box and url bar every time you type anything.)
- Click on Privacy and Security.
- Find Tracking Protection and set to Always.
(Why would you turn this off? Only Mozilla knows.)
- Find Send websites a Do Not Track signal... and set to Always.
(They won't listen, but it's worth a try.)
- Unless you are blind, check Prevent accessibility services from accessing your browser.
(Everything that uses this except screen-readers is some kind of attack.)
- Uncheck Allow Firefox to send technical and interaction data to Mozilla.
(Mozilla has never looked at this information, so it's a waste of your bandwidth.)
- Uncheck Block dangerous and deceptive content.
(It does this by reporting every domain you visit to Google.)
- Uncheck Query OCSP responder servers...
(This works by asking some third party about the sites you're visiting. The danger it protects you from is very rare and probably not worth sending your browser history to internet randos in realtime.)
- Find Tracking Protection and set to Always.
- Open a new tab and type about:config into the URL bar. Click I accept the risk.
- Paste dom.serviceWorkers.enabled into the search box. Double-click on true so it turns to false.
(Service workers provide no user benefit and are frequently abused by ad networks.)
- Paste network.IDN_show_punycode into the search box. Double-click on false so it turns to true.
(This prevents people using bullshit alphabets from showing lookalike domain names.)
- Paste geo.wifi.uri into the search box. Double-click to edit, empty it, and save.
(This stops firefox from sending your wifi info to Google.)
- Paste network.http.speculative-parallel-limit into the search box. Make sure the value is 0.
(This stops Firefox from trying to guess what you'll click next and downloading everything it guesses.)
- Paste network.predictor.enabled into the search box. Make sure the value is false. (More of the same.)
- Paste network.dns.disablePrefetch into the search box. Make sure the value is true.
(Yep, this too.)
- Paste network.prefetch-next into the search box. Make sure the value is false.
(Are you detecting a pattern)
- Paste extensions.pocket.enabled into the search box. Make sure the value is false.
(This is Mozilla's attempt to get you to save the contents of things you read to their servers.)
- Paste browser.send_pings into the search box. Make sure the value is false.
("Browser pings" exist only to track you. There is no other reason for them to exist. Anyone telling you otherwise is your enemy.)
- Paste beacon.enabled into the search box. Make sure the value is false.
(These are almost indistinguishable from "browser pings" and are also only used for tracking you.)
- Paste browser.urlbar.trimURLs into the search box. Double-click on true so it turns to false.
(This setting hides part of the address you've loaded, because someone at Mozilla thought it was prettier that way. We disable it because we don't want the browser to lie to us.)
- I strongly recommend the use of the uMatrix addon.
It requires more effort than the above setup, but provides a much more comprehensive set of protections against dumb shit. It can be a lot of work, although once you have things set up the way you want it's pretty simple.
- Disable Firefox's inbuilt password manager and use a better one -- preferably one not integrated into your browser.
- Disable "Search suggestions."
This basically sends everything you type into the url bar to your search provider. This is a waste of networking and you just wind up at the same search result page anyway.
- Install the Cookie AutoDelete addon.
This deletes tracking data when you close a tab. You can whitelist websites where you want to stay logged in.
- In about:config, find media.peerconnection.enabled and set it to false.
This disables WebRTC, which is only used in some niche videoconferencing sites. If you find yourself in need of such, you can always turn this back on then.
- In about:config, find dom.event.clipboardevents.enabled and dom.allow_cut_copy and set them to false.
This stops sites from tracking what you select, copy, or paste; it also stops sites from directly manipulating your clipboard. Turning these off may break sites like Google Docs or Office 365, so if you need those, skip this step.
- In about:config, find media.autoplay.enabled and set it to false. Why isn't this the default? Because browser vendors are your enemies. In its defense, Netflix will break with this setting.
- In about:config, find toolkit.cosmeticAnimations.enabled and set it to false. This turns off all of the stupid tabs sliding around and so on.